Networks used to be much more straightforward, consisting of a few devices with rules manually written by a few individuals. As such, systems were relatively stable. Technologies such as Cloud Computing, Virtualization, and the Internet of Things created complex and dynamic networks comprised of countless devices. Now, our partner, Firemon, shows us how to better manage firewall rulesets in the latest Vandis Insight Blog webinar recap.

Optimizing Rulesets without Headaches

Optimizing a firewall ruleset is a tedious process, but the benefits can ultimately save you and your organization time, money, and many future headaches. The first step in optimization is to remove unnecessary processes. FireMon offers a report that identifies both redundant and shadow rules which can be safely removed without compromising security. Redundancy occurs if two or more rules are applied that serve the same purpose (such as allowing the same port number open); all but one of these can be removed without changing the function of the firewall in any way. Shadowing occurs when two commands with matching criteria are configured in such a way that the process with a broader scope is placed above the process with more specific conditions. The more extensive firewall rule action is rendered virtually useless by the more specific one.

Unused rules – processes with no hit count for a given amount of time – can also be removed from a ruleset. FireMon has a separate report that reveals which rules have not been used for an indicated amount of time. Use caution when deciding what to eliminate, as some commands may only be used once a year or less often, especially those designated for disaster recovery purposes. Additionally, this Unused Rule report can show individual components of a process that have not been used within a specific timeframe. These components can be deleted, streamlining a particular rule, and thus simplifying the overall ruleset.

Identification Through Traffic Flow Analysis

The next step in firewall ruleset optimization is Traffic Flow Analysis. FireMon’s Traffic Flow Analysis report identifies the source and the destination of overly permissive rules in the existing firewall policies. To not deny traffic, processes with more specific criteria may need to be put into place above those that are too broad. If after carefully combing through the overly permissive rules line-by-line, you determine that they are unnecessary, they can be safely eliminated from the ruleset. Traffic Flow Analysis allows you to ensure trusted sources, as possibly identified by a source IP or ranges of IP addresses) can access specific data.

FireMon’s Rule Consolidation report will help to collapse two or more processes into a single command - making firewall administrator jobs effortless. Multiple rules can be consolidated if combining them will not change the behavior of the policy. Finally, after minimizing the number of processes through strategically eliminating and consolidating, you should optimize the rule order. A ruleset’s order is optimized when the commands used most often are at the top of the ruleset; this prevents traffic from passing through superfluous pathways before reaching the relevant rules. FireMon provides a report that shows frequently used processes that are situated low in the rule base to assist in optimizing the ruleset order.

The Key to Digital Infrastructure Health

Optimizing your firewall’s ruleset is vital to the overall health of your organization’s network. It increases the overall security posture while decreasing the probability of human error in making policy changes. It aids in keeping your organization in line with compliance procedures and accelerates restoration times. Last but certainly not least, optimizing your firewall ruleset can significantly reduce CPU load and can extend the overall life of a firewall platform.